About Insight

Symantec collects information about files from its global community of millions of users and its Global Intelligence Network. The collected information is available to Symantec products in the cloud through Symantec Insight. Symantec Insight provides a file reputation database and the latest virus and spyware definitions. CWPs leverages Insight to protect cloud based storage from new, targeted, and mutating threats. Cloud Workload Protection for Storage queries for file reputation in real time. The queries are called reputation lookups, cloud lookups, or Insight lookups.

Insight reputation ratings

Symantec Insight determines each file's level of risk or security rating. The rating is also known as the file's reputation.
Insight determines a file's security rating by examining the following characteristics of a file and its context:

• The source of the file
• How new the file is
• How common the file is in the community
• Other security metrics, such as how the file might be associated with malware

Insight Configuration

Insight can be configured in CWPs via the Anti-Malware policy. This policy is accessible in the console under Policies -> Anti-Malware.

Insight in CWPs is divided into two categories

File Insight

A file-based detection technology that classifies files as good or bad. The files are classified by examining the file properties, usage patterns, or users of a given file rather than scanning it. Insight-based security puts files in context, using their age, frequency, location, and more to expose the threats that are otherwise missed.

Mobile Insight

Applies Symantec's Global Intelligence Network to classify Android application package (APK) files using Insight technology.

There are two configurations for Insight detection in CWPs

Detection Level

Determines the level at which CWPs will take action against a file and generate alerts due to its reputation.

Monitoring Level

Determines the level at which CWPs will log and generate alerts against a file due to its reputation.

These levels can be configured independently, allowing administrators to log and alert on a more aggressive basis than action is taken. This allows for a more aggressive level of monitoring, while reducing the chance of impacting vital data with false positive detections.

Detection and monitoring levels are divided into four categories

False positive prevention

File Insight in CWPs will not detect known good files as malware. There are several ways to make sure your good files are known as ‘good’. The following steps will help prevent false positives when using CWPs

Using Digital Signatures

One of the easiest ways to identify that a file is ‘good’ is to know where it came from and who created it. An important factor in building confidence in a file being ‘good’ is to check its digital signature. Executable files without a digital signature have a higher chance of being identified as ‘unknown’ or low-reputation.
• Custom or home-grown application should be digitally signed with class three digital certificates.
• Customers should insist that their software vendors digitally sign their applications.

Add to the Symantec White List

Symantec has a growing white list of over 25 million ‘good’ files. These files are used in testing signatures before they are published. Their hash values are also stored online and used to avoid false positives on the CWPs client via real-time cloud lookups whenever a file is detected by any of our client security technologies. This white list is a powerful tool for avoiding false positives. Customers and vendors can add files to this list. Software developers can request that their executable be added to the Symantec white list at https://symsubmit.symantec.com/

Test

Use the Monitoring level feature of CWPs to insure good files are not detected before increasing the aggression level of the Detection feature. This allows for adjustments to the settings or files before impacting production resources.